With consumer trust on the line, achieving PCI DSS compliance is a key priority for many SMBs. After all...
87% of consumers said they would not do business with a company that had faced a data breach.
Unfortunately, according to the 2018 Verizon Payment Security Report, nearly one in five (18%) organisations do not have a defined compliance program with a defined scope and objectives.
What must you do to achieve compliance?
The PCI DSS (Payment Card Industry - Data Security Standards) levels apply to all merchants, processors, acquirers, issuers and service providers, regardless of size or number of transactions, that accept, transmit or store online any cardholder data.
Fulfilling PCI compliance includes things like:
- Building & maintaining a secure IT infrastructure
- Changing vendor-supplied default passwords & security settings
- Securing cardholder data through encryption, never storing it if possible
- Focusing on ongoing vulnerability management and IT security, including updates, security patches, endpoint devices and user credentials
- Restricting access to sensitive cardholder data
- Tracking and monitoring your IT network for optimal security
PCI DSS compliance is an on-going process, not a 'set it & forget it' business activity.
What are PCI Service Provider Levels? How can a MSP help with PCI compliance?
As a managed services provider, we aren't directly a payment brand, but we provide services like cloud hosting and managed firewalls to customers who are, which involves us in the storage and processing of cardholder data.
Just like merchants, service providers have levels of PCI based on the number of transactions they process.
There are two service provider levels. Level 1 is for those service providers who process more than 300,000 card transactions annually; Level 2 is for those who process fewer than 300,000 annually.
SysGroup is proud to be a PCI DSS Level 1 Service Provider, meeting requirements including:
- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
- Quarterly network scan by an Approved Scanning Vendor (ASV)
- Penetration Test
- Internal Scan
- Attestation of Compliance (AOC) Form
Working with a Level 1 service provider can help you to navigate the different (and sometimes confusing) realm of PCI compliance.
- MSPs are familiar with complex IT environments. They can easily help you map the flow of cardholder data in & out of your organisation.
- IT security is a massive component of PCI compliance. SysGroup's Platinum partner status with WatchGuard means that their exceptional firewalls and security services can secure your network against intrusions.
- On-going network monitoring and maintenance ensures that you remain compliant as your business grows. This is incredibly important, as research shows that of organisations who had a data breach, many had successfully complied with PCI before, but has lapsed into non-compliance since their last assessment.